User: Password:
|
|
Subscribe / Log in / New account

On the security of our processes and infrastructure

On the security of our processes and infrastructure

Posted Sep 9, 2011 2:08 UTC (Fri) by koverstreet (subscriber, #4296)
Parent article: On the security of our processes and infrastructure

I think the value of GPG signing every commit (wherever we would sign off on a commit today) ought to be clear now...


(Log in to post comments)

On the security of our processes and infrastructure

Posted Sep 9, 2011 2:46 UTC (Fri) by rweir (subscriber, #24833) [Link]

that doesn't really help with the "compromised dev laptop" attack, though.

On the security of our processes and infrastructure

Posted Sep 9, 2011 8:07 UTC (Fri) by Klavs (guest, #10563) [Link]

if the dev. used a PKCS#11 interface to sign (using a smartcard with a pin or whatever) f.ex. - would help that :)

But still - it'll take more patience and a keylogger, if they were signed.

On the security of our processes and infrastructure

Posted Sep 9, 2011 16:39 UTC (Fri) by JoeBuck (guest, #2330) [Link]

No, it wouldn't help. If the developer's system is compromised, the rootkit could see and intercept every action. The rootkit would simply wait for the developer to sign a commit, and then apply that signature to a different commit. The fact that the developer also had to enter a token from a smartcard or get her iris scanned is no defense if someone else owns the developer's machine.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds